Credit card transaction security fortified by new risk assessment system

Researchers today announced a bulked-up vulnerability risk assessment system that they say will help ensure the security of credit card transactions.

The Common Vulnerability Scoring System (CVSS) Version 2 was coauthored this year by researchers at the National Institute of Standards and Technology and Carnegie Mellon University in collaboration with 23 other organizations. CVSS Version 2 calculates risks on a scale from zero to 10 and evaluates how the vulnerability could compromise confidentiality, such as exposing private information like credit card numbers; availability in that could it be used to shut down the credit card system;  and integrity or in other words, can it change credit card data.

The CVSS scores used by the credit card industry are those for the 28,000 vulnerabilities provided by the NIST National Vulnerability Database (NVD), sponsored by the Department of Homeland Security.

According to Network World’s Cisco SubNet blog the CVSS is the first and only open framework for scoring the risk associated with vulnerabilities. CVSS is designed to rank information system vulnerabilities and provide an end user with a composite score representing the overall severity and risk the vulnerability presents. CVSS was created by The National Infrastructure Advisory Council. Over the years it has become widely adopted and is used by such heavy hitters as the Department of Homeland Security, CERT, Cisco, Union Pacific, and Symantec to name but a few.

According to NIST and Carnegie Mellon, when customers make an electronic transaction—either swiping a card at a checkout counter or through a commercial Web site—they enter personal payment information into a computer. That information is sent to a payment-card “server,” a computer system often run by the bank or merchant that sponsors the particular card. The server processes the payment data, communicates the transaction to the vendor, and authorizes the purchase.  

According to NIST’s Peter Mell, lead author of CVSS Version 2, a payment-card server is like a house with many doors. Each door represents a potential vulnerability in the operating system or programs. Attackers check to see if any of the “doors” are open, and if they find one, they can often take control of all or part of the server and potentially steal financial information, such as credit card numbers, researchers said in a statement. To assess the security of their servers, payment card vendors use software that scans their systems for vulnerabilities.

To promote uniform standards in this important software, the Payment Card Industry Security Standards Council, an industry organization, maintains the Approved Scanning Vendor (ASV) compliance program, which currently covers 135 vendors, including assessors who do onsite audits of PCI information security.

 By June 2008, all ASV scanners must use the current version of CVSS in order to identify security vulnerabilities and score them. Requiring ASV software to use CVSS, according to Bob Russo, General Manager of the PCI Security Standards Council, promotes consistency between vendors and ultimately provides good information for protecting electronic transactions. The council also plans to use NIST’s upcoming enhancements to CVSS, which will go beyond scoring vulnerabilities to identify secure configurations on operation systems and applications. 

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Related:

Copyright © 2007 IDG Communications, Inc.

IT Salary Survey: The results are in